Authority transfer system, control method therefor, and client

ABSTRACT

An authorization code response is transmitted to a client, and the client uses a parameter included in the authorization code response and a parameter included in the authorization code response transmitted by a transmitting unit to verify that the authorization code response corresponds to an authorization code request.

BACKGROUND OF THE INVENTION Field of the Invention

The present disclosure relates to an authority transfer system which verifies an access authority to a web service, a control method therefor, and a client.

Description of the Related Art

An individual web server provides an open Application Programming Interface (API) for providing a web service, and web services can cooperate with each other via the open API. From a viewpoint of security in this case, a measure may be required for authorizing an access to one web service by another web service without handing over authentication information of a user managed by the one web service.

In order to achieve such a measure, a standard protocol (OAuth 2.0) has been adopted to implement a cooperation between web services. OAuth 2.0 is a mechanism for safely handing over (or transferring) authentication information of a user between web services with approval of the user, details of which will be described below.

According to OAuth 2.0, when a user performs an authorization operation, a web service B receives an authorization code. The authorization code is a code for certifying that the access to a web service A is authorized by the user. By using the received authorization code and information certifying the web service B, the web service B transmits a request to issue an authorization token to the web service A. The authorization token is a token for authorizing the web service B to access an open API provided by the web service A. The web service B receives the authorization token and thus the web service B is authorized to access the API of the web service A. The information for certifying the web service B may be an ID uniquely identifying the web service B, a secret that is confidential information, or a digital signature with a digital certificate.

Here, a term “authority transfer” refers to authorizing, by an authorization operation performed by a user, an access by the web service B to an API of the web service A. In OAuth 2.0, a server configured to issue an authorization code in response to an authorization operation performed by a user and to issue an authorization token from the authorization code is referred to as an authorization server. A server configured to provide an open API is referred to as a resource server, and an entity which accesses the open API is referred to as a client. In the example above, the server which provides the web service A corresponds to the authorization server and the resource server, and the server which provides the web service B corresponds to the client.

With reference to FIG. 1, Authorization Code Grant that is a processing flow according to OAuth 2.0 will be described. First, as a prior operation for implementing OAuth 2.0, a registration request is transmitted to the authorization server so that a client is registered as an OAuth 2.0 client (S0.0). More specifically, the client registration request is transmitted to a registration end point (“EP” in FIG. 1) of the authorization server upon start-up of the client or if the client is not registered at the beginning of the authorization flow in S1.1, which will be described below. The transmission of the registration request may be performed by a client actively communicating with the authorization server or by a user accessing the authorization server via a web browser and registering the client, for example.

The registration request in S0.0 includes a client name, a description, an icon image, and a redirect Uniform Resource Identifier (URI) that is a required parameter, which are displayed on an authorization confirmation screen described below. The redirect URI is response destination information (address) designating a response destination to which the authorization server transmits an authorization code response in order that the client receives the authorization code response from the authorization server. The authorization code response will be described below. The authorization server having received the client registration request issues a client ID identifying a client and a client secret that is confidential information for authenticating the client and returns the client ID and client secret to the client as a client registration response (S0.1). The authorization server holds the client ID and client secret received in S0.1 and the information and redirect URI received in S0.0 in association with each other. The client holds the client ID and client secret received in S0.1. Up to this point, the client registration flow that is the prior operation for implementing OAuth 2.0 has been described.

Next, a flow for authenticating a user in the authorization server will be described with reference to FIG. 1. The user may log in the client (S1.0). The client generates and holds a log-in context that is information identifying the log-in user. Information (such as a local user ID) identifying the log-in user can be obtained from the generated log-in context. The user may access a URI for starting an authorization (hereinafter, authorization start URI) via a web browser and may start an authorization flow according to OAuth 2.0 (S1.1). In response to the access to the authorization start URI for starting the authorization flow, the client transmits an authorization code request to an authorization end point of the authorization server (S1.2). The authorization code request includes a client ID, a redirect URI, and a state parameter.

The state parameter is information for uniquely associating the authorization code request with the authorization code response and is usable for preventing a CSRF (cross-site request forgery) attack and a token replacement (hereinafter, “authorization code replacement”) attack. For that purpose, the state parameter is an unpredictable and non-overlapping value. A match between the state parameter received by the client in the authorization code response, which will be described below, and the state parameter transmitted by the client in the authorization code request in S1.2 is verified. Further, in order to identify the user who has executed the authorization code request, the state parameter issued by the client is managed by the client in association with the redirect URI and the log-in context.

If the user has not logged in the authorization server, the authorization server having received the authorization code request in S1.2 responds with a log-in screen for authenticating the user on the web browser (S1.3). The user may input a user ID and a password via the web browser and execute an authentication request to the authorization server (S1.4). The authorization server having received the authentication request verifies a match between a combination of the user ID and password received in S1.4 and a pre-registered combination. If the combination of the user ID and password received in S1.4 matches the pre-registered combination, the authorization server issues an authorization token. The issued authorization token is responded to a Cookie of the web browser.

The authorization server responds with an authorization confirmation screen for a user to approve the authorization of the client on the web browser (S1.5). If the combination of the client ID and redirect URI received in S1.2 does not match the combination of the client ID and redirect URI pre-registered in the authorization server, the authorization server responds with an error screen on the web browser. This can prevent redirect (transfer) to an invalid URI. In a case where the log-in user has already executed the authorization operation by using the identical client ID, the processing in S1.5 can be omitted. Hereinafter, a combination of the authorized user ID and client ID will be referred to as approval information.

After the authorization operation is performed by the user in S1.6, the authorization server issues the authorization code and transmits the authorization code and the state parameter as an authorization code response to the client (S1.7). More specifically, the authorization code and the state parameter are added as a query parameter to the redirect URI, which is then transmitted to the web browser such that the authorization code and the state parameter are to be redirected to the response destination designated by the redirect URI. The authorization code issued in S1.7 is saved in association with the client ID, the user ID, and the redirect URL in the authorization server. The authorization server further saves the approval information.

The client having received the authorization code response for the redirect URI verifies whether the state parameter included in the authorization code response matches the state parameter managed by the client. If the state parameters match as a result of the verification, the client transmits a token request to a token end point of the authorization server (S2.0). The token request includes the client ID, the client secret, the authorization code obtained in S1.7, and the redirect URI received in S1.2.

The authorization server having received the token request in S2.0 verifies whether the combination of the client ID and the client secret matches the pre-registered combination. If it is determined as a result of the verification that they match, the client is authorized. The authorization server verifies whether it holds the authorization code having received in S2.0, and, if so, verifies whether the authorization code has not expired and whether the client ID and redirect URI in association with the authorization token match those received in the token request in S2.0. Through this verification, the authorization server can verify whether the client having transmitted the authorization code request in S1.2 matches the client having transmitted the token request in S2.0.

If the verification succeeds, the authorization server issues an authorization token to the client and responds with it as a token response to the client (S2.1). Here, the authorization server can issue to the client a refresh token for obtaining the authorization token again and responds with it as the token response. The client can access the open API provided by the resource server by using the authorization token received in S2.1. After issuing the authorization token, an authorization code managed by the authorization server can be discarded for prevention of a replay attack.

If the refresh token is included in the token response in S2.1, the log-in context and the refresh token are managed in association with each other in the client. Thus, the authorization token can be obtained again without performing the authorization operation (S1.2 to S1.7) for accessing the API on the next and subsequent occasions. More specifically, in response to a start of an authorization in S1.1, the client checks whether the log-in context of the user and the refresh token are associated with each other. If not, the flow according to OAuth 2.0 (processing in S1.2 and subsequent steps) is performed. If the log-in context of the user and the refresh token are associated with each other, a refresh request is transmitted to the token end point of the authorization server (S2.2). The refresh request includes the client ID, the client secret, and the refresh token.

The authorization server having received the refresh request verifies whether the combination of the client ID and the client secret matches the combination pre-registered in S0.1. If the match is confirmed and the client is authorized, authorization server verifies whether the received refresh token is held in the authorization server, and, if so, verifies whether the refresh token has not expired and whether the client ID in association with the refresh token matches the client ID in the refresh request. If these verifications are all succeeded, the authorization server issues an authorization token and transmits the authorization token as a token response to the client. Here, a new refresh token may be re-issued for obtaining the authorization token again and may be transmitted to the client simultaneously with the token response. After the new refresh token is issued in the authorization server, the authorization server discards, for prevention of a replay attack, the refresh token having been managed. The processing flow for Authorization Code Grant according to OAuth 2.0 has been described. The processing flow according to OAuth 2.0 enables the authorization server to issue an authorization token and the client to access an open API provided by the resource server by using the issued authorization token, instead of transmission of user's authentication information managed by the authorization server to the client. Japanese Patent Laid-Open No. 2016-6624 discloses an information processing system that cooperates with a plurality of external service systems by using the processing flow according to OAuth 2.0.

Reduction of costs for managing parameters in an authority transfer system has been demanded. For example, in the processing flow based on OAuth 2.0 illustrated in FIG. 1, a state parameter is set for transmitting an authorization code request to an authorization end point of an authorization server in S1.2. The value to be set for the state parameter should be unpredictable and non-overlapping and is usable for associating in a client an authorization code request transmitted from the client to an authorization server with an authorization code response received by the client. However, a value of the state parameter is to be issued every time an authorization code request is executed and, furthermore, is held in the client until it is deleted, which may impose a load relating to the management cost on the client.

SUMMARY OF THE INVENTION

The present disclosure has the following configuration. An authority transfer system comprises at least a processor and at least a memory coupled to the at least the processor and having stored thereon instructions, when executed by the at least the processor, and cooperating to act as: transmitting from a client to an authorization server an authorization code request for issuing an authorization code by the authorization server when an access to a resource server by the client is permitted by a user; receiving an authorization code response from the authorization server to the client, the authorization code response being a response to the authorization code request; and generating a log-in context when the user logs in the client, wherein the authorization code request transmitted by the transmitting includes signature information and a parameter having the log-in context set as a value of the parameter for associating the authorization code request with the authorization code response, wherein, after the signature information is verified in the authorization server, the authorization code response corresponding to the authorization code request is transmitted to the client, and wherein the client uses the parameter included in the authorization code response received by the receiving and a parameter included in the authorization code response transmitted by the transmitting to verify that the authorization code response corresponds to the authorization code request.

Further features of the disclosure will become apparent from the following description of exemplary embodiments with reference to the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a processing flow of Authorization Code Grant based on OAuth 2.0.

FIG. 2 is a configuration diagram illustrating an authority transfer system according to Embodiment 1.

FIG. 3 illustrates a hardware configuration of devices included in the authority transfer system.

FIGS. 4A to 4D illustrate a software module configuration of devices included in the authority transfer system.

FIGS. 5A and 5B illustrate examples of a user authentication screen and an authorization confirmation screen for a client to be displayed by a web browser.

FIG. 6 illustrates a processing flow of Authorization Code Grant based on OAuth 2.0 according to Embodiment 1.

FIG. 7 illustrates an example of a JWT including an authorization code request according to Embodiment 1.

FIG. 8 illustrates an example of a JWT including an authorization token according to Embodiment 1.

FIG. 9 illustrates a processing flow for determining a redirect URI in the client according to Embodiment 1.

FIG. 10 illustrates a processing flow of Authorization Code Grant based on OAuth 2.0 according to Embodiment 2.

FIG. 11 illustrates an example of a JWT including an authorization code request according to Embodiment 2.

FIG. 12 illustrates a flow for judgment on approval information in an authorization server.

FIG. 13 illustrates a processing flow of Authorization Code Grant based on OAuth 2.0 according to Embodiment 4.

DESCRIPTION OF THE EMBODIMENTS

The present disclosure can maintain roles of parameters such as the state parameter for associating an authorization code request with an authorization code response and, at the same time, can reduce costs for issuing and managing parameters in a client.

With reference to drawings, the best modes for embodying the present disclosure will be described below.

First, an authority transfer system according to an embodiment of the present disclosure will be described with reference to FIG. 2. A Wide Area Network (WAN) 100 is constructed by a World Wide web (WWW) system. The WAN 100 and devices 200 to 500 are connected over a Local Area Network (LAN) 101.

An authorization server 200 is a server for implementing OAuth 2.0 and is configured to perform processing such as receiving an authentication request and issuing and managing authorization codes. A resource server 300 has an open API for providing a web service. Although the authorization server 200 and the resource server 300 are connected over the LAN 101 in FIG. 2, they can be connected over the WAN 100. The authorization server 200 can further be connected to a database server, not illustrated, over the LAN 101 such that data to be used by the authorization server 200 for implementing its function or functions can be stored in the database server. Although the authorization server 200 and the resource server 300 are provided as separate servers in FIG. 2, the functionalities of the servers can be implemented in one server.

A client 400 corresponds to a client based on OAuth 2.0 and may be a printer, a Multi-Function Printer/Periphral (MFP), a Personal Computer (PC) or a smart phone, for example. A terminal 500 corresponds to a user agent based on OAuth 2.0. A user can use, via the terminal 500, functions of the devices such as a user authentication request to the authorization server 200 and a log-in operation to be performed on the client 400. The terminal 500 may specifically be a PC or a smart phone, for example.

The client 400 and the terminal 500 include a web browser 410 and a web browser 510, respectively. A user may operate the web browser 410 or the web browser 510 to execute an authorization operation, which will be described below. The client 400 and the terminal 500 are connected over the LAN 101. Hereinafter, the web browser 410 and the web browser 510 will be simply referred to as a “web browser” without the reference numerals if an operation can be performed by either one of them.

Next, with reference to FIG. 3, a hardware configuration of the authorization server 200, the resource server 300, the client 400, and the terminal 500 will be described. FIG. 3 is a block diagram illustrating a general information processing apparatus, the devices according to this embodiment can apply a hardware configuration of a general information processing apparatus or a virtual hardware configuration of an information processing apparatus that is provided as an Infrastructure as a Service (IaaS). The client 400 will be described as an example with reference to FIG. 3, but the resource server 300, the authorization server 200, and the terminal 500 all have the same hardware configuration.

A Central Processing Unit (CPU) 2001 is configured to read out a program from a Random Access Memory (RAM) 2002, a Read Only Memory (ROM) 2003, an external memory 2011, or the like and execute instructions of the program for control over the client 400. A sequence which will be described below can be implemented by executed instructions of such a program. The CPU 2001 is further configured to control blocks connected to a system bus 2004.

The RAM 2002 is a work memory usable by the CPU 2001 to execute instructions. A program such as an Operating System (OS) or an application saved in the ROM 2003 or the external memory 2011 may be loaded to the RAM 2002, and the CPU 2001 may sequentially read out and execute instructions of the program. The ROM 2003 is a storage device configured to store an embedded program and data including an application program and an OS. The ROM 2003 may be a flash memory or an erasable ROM. The RAM 2002 or the ROM 2003 may be a memory coupled to the CPU 2001 and having stored thereon instructions, when executed by the CPU 2001, and cooperating to act as various units, or to perform operations, described in the following.

A keyboard controller (KBC) 2005 is configured to control inputs from a keyboard (KB) 2009 and a pointing device, not illustrated. A cathode ray Tube Controller (CRTC) 2006 is configured to control display presented by a CRT display 2010. A disk controller (DKC) 2007 is configured to control data accesses to the external memory 2011. A network controller (NC) 2008 is configured to execute processing for controlling communications with the other devices connected to the device over the WAN 100 or the LAN 101. If the device is a virtual information processing apparatus provided as an IaaS, the device may not have the KBC 2005 and the CRTC 2006 but may be operated through a keyboard or a CRT display included in a terminal connected to the device via the NC 2008.

In the following descriptions, functions of the devices may be executed mainly by the CPU 2001 in hardware or mainly by a program installed in the RAM 2002, the ROM 2003, the external memory 2011 or the like in software, unless otherwise specified.

Next, with reference to FIGS. 4A to 4D, functions of the authorization server 200, the resource server 300, the client 400, and the terminal 500 will be described. The authorization server 200 has an authorization server unit 210 and an HTTP server unit 220. The HTTP server unit 220 is connected to the client 400 and the terminal 500 over the WAN 100 and is a function configured to perform HTTP communication with a web browser or a client application 420 which will be described below. The HTTP server unit 220 can perform communication based on SSL/TLS and has a certification store, not illustrated.

The authorization server unit 210 is a function configured to receive a request from a web browser 510 via the HTTP server unit 220 and responds with a result to the received request. More specifically, the HTTP server unit 220 is configured to receive a user authentication request from the web browser 510, generate an authorization token associated with user information on a user who have been successfully authenticated, and notify the authorization token to the web browser 510. The authorization token here may be a token indicating that a user is logging in the authorization server 200 or a token for verifying whether a user has been authenticated by the authorization server 200. Use of the authorization token enables the authorization server 200 to identify a user. An authorization code, on the other hand, is a token indicating that the client 400 to which authority is transferred through an authorization operation performed by an authenticated user is permitted to access an API of the resource server 300 on behalf of the user. The authorization server unit 210 can be further configured to hold a private key for adding signature information to authorization token. In this case, the private key may be used to add the signature information to the authorization token, and the authorization token with the signature information may be issued to the client 400.

The resource server 300 has a resource server unit 310. The resource server unit 310 is a function configured to provide an open API for providing a web service. The resource server unit 310 may have an HTTP server unit and may be configured to perform transmission and reception to and from an external device via the HTTP server unit, like the authorization server 200.

The client 400 has a web browser 410, a client application 420, and an authentication unit 430. The web browser 410 is a function to be implemented by a user agent for using the WWW, which is the same as the function of the web browser 510 included in the terminal 500. The web browser 410 is configured to communicate with the authorization server 200 and the client application 420 in response to a user operation. The client application 420 is configured to execute the open API provided by the resource server 300 to provide a user with a web service in combination with a function provided by the client application 420. According to this embodiment, the client application 420 corresponds to a client based on OAuth 2.0.

The authentication unit 430 is a function for authenticating a user. A user may input a local user ID and a local user password through an input screen, not illustrated, presented by the client 400 to use a function of the client 400. The client 400 in response to the input performs authentication processing on the user by comparing between information (local user ID and local user password) pre-registered in the authentication unit 430 and the input information and generates a log-in context. The authentication processing may be performed in any other forms such as an authentication with an IC card or a biometric authentication based on a fingerprint.

The log-in context is information for identifying a local user in the client 400 and may include a local user ID, for example. The log-in context is shared by the client application 420 and the authentication unit 430. Having described that, according to this embodiment, the processing for logging in the client 400 is executed by a user by directly operating the client 400, a user may log in the client 400 remotely via the web browser 510. In this case, the authentication unit 430 responds with a log-in screen, not illustrated, to the web browser 510. The user is authenticated based on a local user ID and a local user password input by the user through the log-in screen. In this case, a log-in context is generated in the authentication unit 430 and is shared by the client application 420 and the authentication unit 430.

Embodiment 1

According to Embodiment 1, the complexity of processing based on OAuth 2.0 due to a change of a URI of a client can be resolved without impairing security in execution of the processing. Like numbers refer to like processing flows described in FIG. 1 and this embodiment, and repetitive detail descriptions thereof will be omitted.

First, with reference to FIGS. 5A and 5B, a log-in screen for authenticating a user by the authorization server 200 and an authorization confirmation screen for inquiring a user about approval about authorization of the client 400.

FIG. 5A illustrates an example of a log-in screen displayed on a web browser and usable by a user for logging in the authorization server 200. The log-in screen is to be displayed on the web browser in a case where a user transmits an authorization code request to an authorization end point of the authorization server 200 via the web browser and the user has not logged in the authorization server 200. A log-in screen 5000 includes a user ID input field 5001, a password input field 5002, and a LOG IN button 5003 usable for executing a log-in operation. Processing to be performed after the LOG IN button 5003 is pressed will be described below.

FIG. 5B illustrates an example of an authorization confirmation screen with which the authorization server 200 responds to the web browser as a result of authentication of a user. The authorization confirmation screen 5100 has a content for inquiring a user about the approval, including a client name 5101 of the client 400 to be authorized and a description 5102 regarding the client 400, and an icon image 5103. The authorization confirmation screen 5100 further includes a PERMIT button 5104 and a REJECT button 5105 usable by a user for authorizing and rejecting the authorization of the client 400, respectively. Processing to be performed when the PERMIT button 5104 is pressed and when the REJECT button 5105 is pressed will be described below.

Next, a processing flow of Authorization Code Grant based on OAuth 2.0 having characteristics of the present disclosure will be described with reference to FIG. 6. Like numbers refer to like parts in FIG. 1 and FIG. 6, and any repetitive detail descriptions will be omitted. The processing in S0.0, S0.1, S1.2, S2.0, and S2.2 in FIG. 1 may be replaced by processing in S3.0, S3.1, S4.0, S5.0, and S5.1, which will be described below, to execute a processing flow based on OAuth 2.0 according to this embodiment.

First, a flow for registering the client 400 to be performed as a prior operation for executing OAuth 2.0 will be described with reference to FIG. 6. According to this embodiment, the client 400 actively communicates with the authorization server 200 to execute a registration request for the client 400, for example. However, a user may access the authorization server 200 via the web browser to execute a registration request for the client 400. The flow for registering the client 400 starts upon start-up of the client 400 or if the client 400 has not been registered yet at the beginning of the authorization flow in S1.1.

The client 400 transmits a registration request for the client 400 to the authorization server 200 (S3.0). The authorization server 200 having received the registration request generates a client ID for identifying the client 400 and a key pair of an encryption key and a decryption key (or a public key and a private key) for authenticating the client 400. According to this embodiment, a private key and an encryption key will be exemplarily described below. The authorization server 200 returns the generated client ID and the private key as a registration response to the client 400 (S3.1). The client ID and the private key are saved in association with each other in the client 400 while the client ID and the public key are saved in association with each other in the authorization server 200. This embodiment will be described by assuming the client ID as “client_01”. An example of association information held in the client 400 is illustrated in Table 1, and an example of association information held in the authorization server 200 is illustrated in Table 2.

TABLE 1 CLIENT ID PRIVATE KEY client_01 PRIVATE KEY A

TABLE 2 CLIENT ID PUBLIC KEY client_01 PUBLIC KEY A

The information to be transmitted to the client 400 as a registration response is not limited to the form as described above. For example, the client ID may be embedded as subject information of the private key, and only the private key may be transmitted to the client 400 as the registration response. Alternatively, the authorization server 200 can generate a private key in advance, and the private key can be pre-installed in the client 400 while it is being manufactured, without executing the registration flow (S3.0 to S3.1) for the client 400. The registration flow for the client 400 has been described up to this point.

In the related art, a redirect URI and information regarding the client 400 are transmitted to the authorization server 200 during an prior registration of the client 400 (S0.0), and the transmitted information is managed in the authorization server 200. In contrast, an prior registration (S3.0) according to the present disclosure does not transmit the information and does not manage the transmitted information in the authorization server 200.

Next, with reference to FIG. 6, a processing flow will be described from a step in which a user logs in the client 400 to a step in which the client 400 transmits an authorization code request to the authorization server 200. A user logs in the client 400 (S1.0). It is assumed that the local user ID here is “local_user_01”. The client 400 generates and holds a log-in context by which the local user ID can be identified. It may be configured such that the log-in context can become void in response to a log-out operation performed by a user or after an expiration date preset for the context.

Next, a user accesses a URI for starting an authorization of the client 400 via the web browser (S1.1). In a case where the user agent here is the web browser 410, a user can start the web browser 410 or can use a bookmark for the web browser 410 to access the URI. Alternatively, a user interface, not illustrated, of the client application 420 can be operated to start the web browser 410 to start the authorization processing. In a case where the user agent is the web browser 510, the web browser 410 can receive a remote access performed by the web browser 510, and the URI for the authorization start can be input for the access in the web browser 510, or a bookmark corresponding thereto can be used for the access. Alternatively, the client application 420 responds with a screen, not illustrated, to a remote access by the web browser 510, and a user can press a link to the URI for the authorization start embedded in the screen for the access.

If the client 400 in S1.1 receives the access to the authorization start URI, the client 400 transmits an authorization code request to an authorization end point of the authorization server 200 (S4.0). More specifically, a redirect instruction to the authorization end point of the authorization server 200 is transmitted to the web browser. The authorization code request transmitted in S4.0 includes information for designating an authorization code as a response type to the authorization code response and a state parameter for uniquely associating the authorization code request with the authorization code response.

The authorization code request transmitted in S4.0 further includes a JSON web Token (JWT). More specifically, client_assertion_type:jwt-bearer is declared in an OAuth 2.0 JWT Profile, and a JWT is set as a parameter for client_assertion. FIG. 7 illustrates an example of the authorization code request when a JWT is set as a parameter. A JWT includes a header part (starting from “Header”), a payload part (starting from “Payload”), and a digital signature part (starting from “Encoded”), all of which are encoded according to an encoding method denoted by Base 64.

In the payload part, a client ID “client_01” is set under “iss” (representing an issuer) and “sub” (representing a subject). A URI of an authorization end point of the authorization server 200 is set under “aud” (representing a user), and information is set under “exp” (representing an expiration date) and “iat” (representing an issued date and time). A client name is set under “client_name”, and a description of the client 400 is set under “description”. Referring to FIG. 7, “DEVICE XX” is set as a client_name of the client 400, and “DEVICE XX\r\nLOCATED IN YY.” is set as a description of the client 400. A redirect URI is set under “redirect_uri”, and “https://192.168.1.1/redirect”, for example, is set here. As necessary, information regarding an icon image is set under “icon_image” along with an image format of the icon image. The information to be set regarding the icon image can be a URI if the icon image exists or can be information for identifying the image if the image is held in the authorization server 200.

After these information pieces are set, character strings in the header part and the payload part are encoded according to Base64, and a digital signature is provided by using the private key held in the client 400 to the character strings. The authorization server 200 having obtained the JWT in S4.0 identifies a public key based on the client ID and verifies the digital signature included in the JWT by using the public key to authenticate the client 400 and verify that the character strings in the JWT are not altered. As a result, it is verified that the redirect URI included in the JWT of the authorization code request in S4.0 is set by the client 400 and is not altered.

Up to this point, the flow has been described from the step in which a user logs in the client 400 to the step in which the client 400 transmits an authorization code request to the authorization server 200. Based on the JWT, the redirect URI included in the authorization code request can be trusted. Therefore, the authorization server 200 may not compare it with a redirect URI and may not register a redirect URI with the authorization server 200 in advance. As a result, even when the URI of the client 400 is changed and the redirect URI is thus changed, the changed URI of the client 400 can be used to transmit the authorization code request to the authorization server 200.

The language to be used for writing information regarding the client 400 to be displayed on the authorization confirmation screen, such as a client name, a description, and an icon image can be determined based on language information regarding a language used by a local user, which is stored in the client 400, or language information set in an Accept-Language header on a web browser (language information included in a request from the web browser). This means that the information regarding the client 400 included in the authorization code request in S4.0 can be written based on the language information. Thus, the authorization server 200 can receive the information regarding the client 400 to present an authorization confirmation screen adapted for a local user who is logging in the client 400 to the user.

Next, with reference to FIG. 6, processing will be described from presenting the log-in screen to a user via the web browser to issuing an authorization code to the client 400. The authorization server 200 having received the authorization code request to the authorization end point presents the log-in screen if the user has not logged in the authorization server 200 (S1.3). FIG. 5A illustrates an example of the log-in screen. The user may input a user ID and a password on the log-in screen 5000 and press the LOG IN button 5003 to transmit an authentication request to the authorization server 200 (S1.4). The authorization server 200 having received the authentication request compares the combination of the user ID and the password with information registered in advance with the authorization server 200 and, if they match, issues an authorization token. The issued authorization token is returned to a Cookie of the web browser as a response. Here, the authorization token may be a random and unpredictable character string or may be an encrypted character string including identification information of the log-in user and a login date and time. In the former case, the authorization token is held in the authorization server 200 in combination with the identification information (or a user ID in this embodiment) of the log-in user. The user ID in this embodiment is assumed as “user_01” here.

The authorization server 200 responds with an authorization confirmation screen to the web browser (S1.5). FIG. 5B illustrates an example of the authorization confirmation screen. However, when the digital signature in the JWT received in the authorization code request in S4.0 is verified with the public key and if it is determined as invalid, an error screen, not illustrated, is returned, and the processing ends. The processing of the digital signature verification can prevent redirect to an invalid URI. A case where the digital signature in the JWT is valid will be described below.

The authorization confirmation screen 5100 is displayed on the web browser based on the values (client name 5101, the description 5102, and the icon image 5103) included in the JWT received in the authorization code request in S4.0. Here, if the user presses the REJECT button 5105 and if the combination of the client ID and the redirect URI matches the corresponding one registered in advance, the authorization server 200 adds information indicating that the user rejects the authorization of the client 400 to a query parameter in the redirect URI. The authorization server 200 then responses with an instruction to redirect the information to a response destination designated in the redirect URI to the web browser.

Use of such a JWT, as described above, enables rejection of an invalid authorization code request and can provide the web browser with a display screen indicating that the authorization code request has been rejected. Even if the request in S4.0 is not rejected, a user can reject the authorization through the authorization confirmation screen and transmit the information indicating that the authorization has been rejected to the web browser.

On the other hand, if the user presses the PERMIT button 5104, the authorization operation is executed (S1.6), and the authorization server 200 issues an authorization code. The authorization code issued in S1.6 and the state parameter received in the authorization code request in S4.0 are added as query parameters to the redirect URI, and an instruction to redirect the authorization code and state parameter to the response destination designated in the redirect URI is returned to the web browser (S1.7). The issued authorization code is saved in the authorization server 200 in association with the client ID, the user ID, and the redirect URI. The authorization code saved in the authorization server 200 may be used in the verification of the client 400 to be performed in response to a token request, which will be described below. Here, the authorization code is saved in association with the client ID “client_01”, the user ID “user_01”, and the redirect URI “https://192.168.1.1/redirect”, for example. The authorization code is to be an unpredictable, random character string and may have an expiration date. The authorization server 200 determines that the authorization is approved by the user and registers approval information (the user ID and the client ID) as information regarding the log-in user.

The client 400 having received the authorization code response in S1.7 transmits a token request to a token end point of the authorization server 200 (S5.0). The token request includes a JWT (JSON web Token) including a definition “grant_type=authorization_code” indicating that the authorization flow is based on Authorization Code Grant and the obtained authorization code and client authentication information. More specifically, the JWT is set here as a parameter in client_assertion in client_assertion_type:jwt-bearer declared in an OAuth 2.0 JWT Profile. FIG. 8 illustrates an example of the token request expressed by the JWT. Any repetitive detail descriptions of the part overlapping the authorization code request in FIG. 7 will be omitted.

The authorization server 200 having received the token request in S5.0 verifies a signature in the JWT by using a public key identified from the client ID. If the verification succeeds and the client 400 is authenticated, the authorization server 200 issues an authorization token and transmits a token response to the client 400 (S2.1). The client 400 transmits a refresh request to a token end point of the authorization server 200 (S5.1). In S2.2, an authentication method for the client 400 in the refresh request performs the comparison based on a combination of a client ID and a secret to authenticate the client 400. On the other hand, in S5.1, a digital signature added to a client ID is verified by using a private key to authenticate the client 400. This processing presents the log-in screen on the web browser and then issues an authorization code to the client 400.

Next, processing for determining a redirect URI to be set in the authorization code request will be described with reference to FIG. 9. The processing in FIG. 9 is a processing flow for determining a redirect URI in the client 400. This processing is started when the client 400 receives an initiation request (S1.1) for an authorization flow (S9.1). The client 400 obtains a Host header in the initiation request for the authorization flow (S9.2). The client 400 determines whether the domain part of the obtained Host header is “localhost” (S9.3). The domain part “localhost” corresponds to a host name indicating a device in which a program is to be executed and, in this case, indicates a web browser to which the initiation request for the authorization flow is transmitted. From the determination result in S9.3, the web browser to which the initiation request for the authorization flow is transmitted can be identified. It is assumed here that the web browser 410 transmits the initiation request for the authorization flow to the client 400. If the Host header is “localhost”, it is determined that the domain part of the redirect URI is “localhost” (S9.8). For example, the redirect URI may be “https://localhost/redirect”.

If the domain part of the Host header is not “localhost” in S9.3, the client 400 determines whether the domain part of the Host header is an IP address (S9.4). If not, the Host header obtained in S9.2 is used to make an inquiry to a DNS server, not illustrated, to obtain an IP address (S9.5). For example, in a case where the Host header is “www.canon.jp:443”, a port number “443” is added to “www.canon.jp” that is a domain (Fully Qualified Domain Name: FQDN). In this case, the domain part as a part of the Host header is extracted, and an inquiry is made to the DNS server with the domain part. After an IP address is obtained, processing in S9.6, which will be described below, is executed.

If the domain part of the Host header is an IP address in S9.4, the IP address preset in the client 400 and the obtained IP address are compared in the client 400 (S9.6). Whether the IP addresses match or not is determined in the client 400 (S9.7). If the IP addresses do not match, it is determined that the access received in S9.1 is invalid, and the processing terminates with error (S9.9). If the IP addresses match, it is determined that the access received in S9.1 is valid, and a URI having the domain part of the Host header obtained in S9.2 is generated. The generated URI is determined as a redirect URI (S9.8). The method for determining a redirect URI in the client 400 has been described up to this point. According to the method, a redirect URI can be determined in response to an initiation request for the authorization flow in the processing flow based on OAuth 2.0 even when the IP address or the host name is changed.

This embodiment can eliminate the necessity for prior registration and management of a redirect URI and information regarding a client to be presented on the authorization confirmation screen without impairing security in the processing flow of Authorization Code Grant based on OAuth 2.0 and can easily address dynamic changes.

Embodiment 2

In the processing flow based on OAuth 2.0 described with reference to FIGS. 1 and 6, a state parameter is set for transmitting an authorization code request to an authorization end point of an authorization server in S1.2 (or S4.0 in FIG. 6). The state parameter has an unpredictable and non-overlapping value for uniquely associating an authorization code request with an authorization code response. However, the value of the state parameter is to be issued every time an authorization code request is executed and is to be held in the client 400 until the value of the state parameter is deleted, imposing a load relating to management cost on the client 400. Processing for reducing costs for issuing and managing a value of the state parameter in the client 400 according to Embodiment 2 will be described. Although Embodiment 2 will be described with reference to a combination with the conventional technology (FIG. 1), Embodiment 2 can be combined with Embodiment 1 (FIG. 6).

With reference to FIG. 10, a processing flow of Authorization Code Grant based on OAuth 2.0 according Embodiment 2 will be described. Like numbers refer to like parts in FIG. 1 and FIG. 10, and any repetitive detail descriptions will be omitted. The prior registration of the client 400 according to Embodiment 2 is performed in the pattern (S0.0 to S0.1) based on the conventional technology but may be performed in the pattern (S3.0 to S3.1) according to Embodiment 1, any repetitive description of which will therefore be omitted. Because the processing from a time when a user logs in the client 400 (S1.0) to a time when an authorization initiation request is transmitted to the client 400 (S1.1) is performed in the same manner as that of the conventional technology or Embodiment 1, any repetitive descriptions will be omitted.

When the client 400 receives an access to a URL for authorization start in S1.1, the client 400 transmits an authorization code request to an authorization end point of the authorization server 200 (S7.0). More specifically, a redirect to the authorization end point is performed via a web browser. The authorization code request in S7.0 includes information for designating an authorization code as a response type, a client ID for uniquely identifying the client 400, a state parameter that is information for uniquely associating the authorization code request with the authorization code response, and the redirect URL. However, a log-in context is set as a value of the state parameter. The log-in context is a data object which holds information regarding a user logging in the client 400 and includes local user information for identifying a local user, such as a local user ID or an e-mail address of a local user. The JWT includes a client ID to be transmitted in the authorization code request and the log-in context set as the state parameter. The parameter setting in the JWT will be described below with reference to FIG. 11.

The authorization server 200 having received the authorization code request in S7.0 requests authorization of the client 400 to a user logging in the authorization server 200 by performing the processing in S1.3 to S1.6. The user may authorize the client 400 to execute an authorization operation. If the authorization operation is executed in S1.6, the authorization server 200 issues an authorization code. The issued authorization code is saved in association with a client ID, a user ID, and a redirect URL. In this case, the authorization code is saved in association with a client ID “client_01”, a user ID “user_01”, and a redirect URL “https://192.168.1.1/redirect”.

An instruction to redirect the authorization code and the log-in context set as a value of the state parameter in S7.0 to the redirect URL is transmitted to the web browser as a response (S7.1). Here, the authorization server 200 adds a digital signature to the authorization code and the state parameter by using a public key. The client 400 having received the authorization code response at the redirect URL verifies the digital signature value by using the private key held in the client 400 and verifies whether the content of the authorization code response received in S7.1 has not been altered. More specifically, the client 400 can verify that the log-in context saved in the client 400 and the log-in context received in S7.1 match and determine that the authorization code request and the authorization code response are associated with each other.

Because the processing (S2.0 to S2.2) for issuing an authorization token from the authorization server 200 to the client 400 after it is verified that the content of the authorization code response received in S7.1 has not been altered can be performed in the pattern (S5.0 to S5.1, S2.1) according to Embodiment 1, any repetitive descriptions will be omitted. Up to this point, the processing flow of Authorization Code Grant based on OAuth 2.0 according to Embodiment 2 has been described.

Next, with reference to FIG. 11, an example of a JWT to be transmitted in the authorization code request from the client 400 to the authorization server 200 in S7.0 will be described. Any repetitive detail description of the same character string included in the JWT as that in FIG. 8 will be omitted. In the payload part, state is set as well as iss (issuer) and sub (subject). In this case, “https://xxx.com/authrization” of an authorization end point of the authorization server 200 is set under and (user). Further, “user://local_user_01, mail: local_user_01@abc.com” is set as a log-in context under state. Character strings in the header part and the payload part are encoded according to Base 64, and a digital signature is provided by using the private key held in the client 400 to the character strings. Up to this point, the example of the JWT to be transmitted in the authorization code request in S7.0 from the client 400 to the authorization server 200 has been described.

Although FIG. 11 illustrates the log-in context written in text data of a JSON (JavaScript (registered trademark) Object Notation) format, the log-in context is not limited to have the format. The log-in context is used by the client 400 to identify a local user when the client 400 receives the authorization code response in S7.1 and may be any value acquired by performing reversible or irreversible encryption on the log-in context, for example.

According to Embodiment 2, an existing log-in context held by the client 400 is set as a value of the state parameter so that the necessity for generating a new value to be set for the state parameter can be eliminated in the client 400 and thus can reduce the costs for the generation and management in the client 400.

The log-in context is information by which a local user can be uniquely identified and does not overlap others. When the local user logs in the client 400, the log-in context can be generated by an OS (not illustrated) in the client 400 and becomes void when the local user logs off. The generation of a log-in context in response to a log-in operation performed by a local user makes a webpage open to public on a web browser where the log-in local user has an access authority to the webpage. The log-in context becomes void in response to a log-off operation performed by the local user so that the webpage for which the local user has an access authority can be prevented from making it open to other users and that the security can be guaranteed.

The state parameter on the other hand has an unpredictable and non-overlapping value for uniquely associating an authorization code request with an authorization code response. In other words, according to this embodiment, the value of the state parameter is replaced by a log-in context so that a property (information not overlapping others) of the state parameter can be maintained and that costs for generating and managing values of the state parameter in the client 400 can be reduced.

Use of a JWT in the authorization code request and the authorization code response enables safe exchange of a state parameter including user information between the authorization server 200 and the client 400 without impairing security in execution of processing based on OAuth 2.0.

Embodiment 3

In some cases, one user ID may be associated with a plurality of local user IDs instead of saving in the authorization server 200 a user ID uniquely in association with a local user ID of the client 400. More specifically, in some cases, a local user ID may be registered for each user in the client 400 while, in the authorization server 200, a common user ID may be used for a plurality of local user IDs instead of issuing a user ID for each user. For example, because of complexity of generation of a plurality of accounts (user IDs), a common account may be generated for work within one department and may be shared by a plurality of members of the department.

As a result, approval information (including the client ID and the user ID) is shared by a plurality of users of the client 400. Then, a problem occurs in which, although one user is executing an authorization operation, another user sharing the user ID included in the approval information executes an authorization operation.

In order to prevent a user ID from being shared, user IDs may be stored individually in the authorization server 200, which however requires issuance of a user ID for each user and needs costs for generation and management of the user IDs. According to Embodiment 3, a user ID is not shared by a plurality of user without generating and managing a new user ID in the authorization server 200.

First, approval information to be managed in the authorization server 200 will be described. Table 3 is an example of approval information stored in the authorization server 200.

TABLE 3 client_id user_id login_context consent client_01 user_01 {user: local_user_01, 1 mail: local_user_01@abc.com} client_01 user_01 {user: local_user_02, 0 mail: local_user_02@abc.com} client_02 user_02 1

On Table 3, “client_id” represents a client ID, “user_id” represents a user ID of a user registered with the authorization server 200, and “login context” represents a log-in context to be transmitted by the authorization server 200 in response to the authorization code request in S7.0. The log-in context includes local user information regarding a local user logging in the client 400. Absence of a value set under “login context” means that no log-in context is considered as approval information, and presence of a value set under “login context” means that the log-in context is considered as approval information. A flag “consent” indicates whether a user approves authorization on the authorization confirmation screen in S1.5. The flag “consent” having “1” indicates that authorization of the client 400 is approved while the flag “consent” having “0” indicates that the authorization is rejected. Absence of records in the approval information table on Table 3 indicates that a user has not authorized yet. As an alternative form of the approval information table, “consent” may not be provided. According to the form, a record is deleted from the approval information table if a user rejects the authorization of the client 400.

The approval information on the Table 3 is generated when the authorization server 200 receives an authorization operation performed by a user (S1.6). In S1.6, approval information including a client ID and a user ID is managed in the authorization server 200. According to this embodiment, a log-in context received in S7.0 (FIG. 10) in addition to a client ID and a user ID is managed as approval information as on Table 3.

A criterion for determining whether a log-in context is included in the approval information depends on whether the log-in context is preset in the client 400. The authorization server 200 can determine whether a log-in context is present in the client 400 mainly based on the following two forms. One form notifies to the authorization server 200 that the client 400 is a multiuser device having a log-in context when information regarding the client 400 is registered in S0.0.

According to a second form, when a web browser transmits an authorization request to the authorization server 200, a state parameter and another parameter notifying that the value of the state parameter is a log-in context are additionally transmitted. It is assumed here, according to this embodiment, the authorization server 200 based on one of the forms determines that a log-in context is present in the client 400 and the log-in context is included in the approval information regarding the user.

With reference to FIG. 12, a flow will be described for determining whether the authorization confirmation screen is to be displayed on a web browser. The flow in FIG. 12 is to be executed for determining whether the log-in screen is to be displayed in S12.2 after the authorization server 200 receives an authorization code request in S12.1. FIG. 5A illustrates an example of the log-in screen. When a user ID and a password are input through the log-in screen on the web browser, the authorization server 200 receives an authentication request from the web browser (S12.3). Because the processing in S12.1, S12.2, and S12.3 is the same as the processing in S7.0, S1.3, and S1.4 in FIG. 10, any repetitive detail descriptions will be omitted.

The authorization server 200 determines whether the user ID received in S12.3 and the log-in context and client ID received in S7.0 match the user ID, client ID and log-in context saved in advance in the authorization server 200 as approval information (S12.4).

If it is determined in S12.4 that the approval information registered in advance matches the user ID in S12.3 and the log-in context and client ID in S7.0, the processing moves to S12.5. Here, the matched user ID, client ID and log-in context registered as approval information with the authorization server 200 indicate that the user identified by the user ID and the log-in context has already executed the authorization operation by using the client 400 identified by the client ID.

On the other hand, if it is not determined in S12.4 that the approval information registered in advance matches the user ID in S12.3 and the log-in context and client ID in S7.0, it is determined that a user has not executed the authorization operation yet. Then, new approval information is generated based on the user ID in S12.3 and the log-in context and client ID in S7.0 (S12.9). The newly generated approval information is added as a record to the approval information an example which is illustrated on Table 3.

After the matched approval information is determined in S12.4, whether the approval information registered in advance is information the authorization of which is approved by the user is determined (S12.5). More specifically, the value of consent on Table 3 is checked. If the consent has “1”, an authorization code response to the client 400 is executed without executing the authorization confirmation screen (S1.5) and the authorization operation (S1.6). The processing flow then ends.

If the consent has “0” on the other hand or if new approval information is generated in S12.9, an authorization confirmation screen that is a screen for inquiring approval for authorization is returned to the web browser (S12.6). An approval result is received based on a user's operation (S12.7), and the approval result is saved in the authorization server 200 (S12.8). Table 3 illustrates an example of the approval information to be saved. Because the processing in S12.6 and S12.7 is the same as the processing in S1.5 and S1.6 in FIG. 10, any repetitive detail descriptions will be omitted. The flow has been described for determining whether the authorization confirmation screen is to be displayed on the web browser.

According to Embodiment 3, a log-in context is added to approval information (including a user ID and a client ID) until then. Upon every mismatch with respect to the user ID and the log-in context, an authorization approval screen can be displayed, and the approval information can be prevented from being shared by a plurality of users, without newly generating and managing user information.

Embodiment 4

According to Embodiment 4, an authorization code is not used for issuing an authorization token for reduction of loads of generation and management of authorization codes in the authorization server 200.

With reference to FIG. 13, processing of Authorization Code Grant based on OAuth 2.0 according to Embodiment 4 will be described. Like numbers refer to like parts in the aforementioned embodiments and this embodiment, and any repetitive detail descriptions will be omitted. Although Embodiment 4 will be described with reference to a combination with the conventional technology (FIG. 1), Embodiment 4, without limiting thereto, can be combined with Embodiment 1 (FIG. 6), Embodiment 2 (FIG. 10), or Embodiment 3.

First, after an initiation request for the authorization flow is transmitted to the client 400 in S1.1, the client 400 transmits an authorization code request to the authorization server 200 (S7.2). Although the information to be transmitted in S7.2 is the same as that in S1.2, “id_token” instead of “code” is designated as a response type of the authorization code request. Designating “id_token” as a response type of the authorization code request enables the authorization server 200 to transmit a user ID, instead of an authorization code, in an authorization code response to the client 400.

After a user approves the authorization of the client 400 in S1.3 to S1.6, the authorization server 200 transmits the authorization code response to the client 400 (S7.3). In this case, the authorization server 200 responds, to the web browser, with an instruction to redirect a user ID (user_id) and a state parameter to redirect URL. More specifically, the authorization server 200 adds a digital signature to the user ID the state parameter by using a public key of the client 400.

The client 400 having received the authorization code response in S7.3 verifies the digital signature by using a private key held by the client 400 and verifies that the content of the authorization code response is not altered. The client 400 further verifies that the state parameter transmitted in the authorization code request matches the state parameter received in the authorization code response to determine that the authorization code request and the authorization code response are associated with each other.

After it is determined that the authorization code request and the authorization code response are associated with each other, the client 400 transmits a token request to a token end point of the authorization server 200 (S7.4). The token request includes “grant_type=authorization code” indicating that the authorization flow is Authorization Code Grant. Although the value of “grant_type” is “authorization code” under the rule of OAuth 2.0, a user ID instead of an authorization code is to be sued for issuing an authorization token according to this embodiment.

The token request further includes a client secret, a client ID, and a JWT (JSON web Token) as a user ID obtained in S7.3. More specifically, the JWT is set here as a parameter in client_assertion in client_assertion_type:jwt-bearer declared in a OAuth 2.0 JWT Profile. It is assumed here that the client ID is “client_01” and the user ID is “user_01”. The client 400 adds a digital signature to the client ID and user ID by using a private key held by the client 400.

The authorization server 200 having received the token request in S7.4 verifies the digital signature added to the token request by using a public key identified from the client ID to authenticate the client 400. The received client ID and user ID are used to obtain approval information to determine whether the user approves the authorization of the client 400. If it is determined that the user approves the authorization, the authorization server 200 issues an authorization token and transmits the issued authorization token to the client 400 as a token response (S7.5). Here, a refresh token for obtaining an authorization token again is not issued. It is because the flow of Authorization Code Grant described with reference to FIG. 1 issues an authorization token by using an authorization code and the authorization code is disabled when the authorization token is issued. Therefore, a refresh token is to be issued for omitting the processing for executing the processing flow of Authorization Code Grant again, and the authorization server 200 and the client 400 store the refresh token. However, according to this embodiment, an authorization token is issued based on approval information (including a client ID and a user ID. Thus, in order to obtain an authorization token again, a token request may be executed by using approval information managed in the authorization server 200.

Up to this, the processing without using an authorization code for issuing an authorization token has been described. According to Embodiment 4, the authorization server 200 can omit the processing for issuing and storing an authorization code and a refresh token, which can reduce costs for managing authorization codes and refresh tokens in the authorization server 200. The omission of the refresh token storage processing in the client 400 can further reduce the management cost in the client 400.

A combination of Embodiment 4 and Embodiment 3 (which includes a log-in context in the approval information) transmits a client ID, a user ID, and a log-in context in the token request in S7.4.

OTHER EMBODIMENTS

Any combinations are possible among the aforementioned embodiments including the embodiment in which a redirect URL and information regarding the client 400 are included in a JWT (Embodiment 1), the embodiment in which a log-in context is set as a state parameter (Embodiment 2), and an embodiment in which an authorization token is issued without issuing an authorization code (Embodiment 4).

A scope parameter which indicates a scope of authorization can be designated in an authorization code request. For example, the scope parameter designated in an authorization code request can be managed in association with an authorization code, an authorization token, and a refresh token. The scope of authorization indicated by the scope parameter can be displayed in the displayed authorization confirmation screen 5100.

Embodiment(s) of the disclosure can also be realized by a computer of a system or apparatus that reads out and executes computer executable instructions (e.g., one or more programs) recorded on a storage medium (which may also be referred to more fully as a ‘non-transitory computer-readable storage medium’) to perform the functions of one or more of the above-described embodiment(s) and/or that includes one or more circuits (e.g., application specific integrated circuit (ASIC)) for performing the functions of one or more of the above-described embodiment(s), and by a method performed by the computer of the system or apparatus by, for example, reading out and executing the computer executable instructions from the storage medium to perform the functions of one or more of the above-described embodiment(s) and/or controlling the one or more circuits to perform the functions of one or more of the above-described embodiment(s). The computer may comprise one or more processors (e.g., central processing unit (CPU), micro processing unit (MPU)) and may include a network of separate computers or separate processors to read out and execute the computer executable instructions. The computer executable instructions may be provided to the computer, for example, from a network or the storage medium. The storage medium may include, for example, one or more of a hard disk, a random-access memory (RAM), a read only memory (ROM), a storage of distributed computing systems, an optical disk (such as a compact disc (CD), digital versatile disc (DVD), or Blu-ray Disc (BD)), a flash memory device, a memory card, and the like.

While the disclosure has been described with reference to exemplary embodiments, it is to be understood that the disclosure is not limited to the disclosed exemplary embodiments. The scope of the following claims is to be accorded the broadest interpretation so as to encompass all such modifications and equivalent structures and functions.

This application claims the benefit of Japanese Patent Application No. 2017-167284 filed Aug. 31, 2017, which is hereby incorporated by reference herein in its entirety. 

What is claimed is:
 1. An authority transfer system, comprising: at least a processor and at least a memory coupled to the at least the processor and having stored thereon instructions, when executed by the at least the processor, and cooperating to act as: transmitting from a client to an authorization server an authorization code request for issuing an authorization code by the authorization server when an access to a resource server by the client is permitted by a user; receiving an authorization code response from the authorization server to the client, the authorization code response being a response to the authorization code request; and generating a log-in context when the user logs in the client, wherein the authorization code request transmitted by the transmitting includes signature information and a parameter having the log-in context set as a value of the parameter for associating the authorization code request with the authorization code response, wherein, after the signature information is verified in the authorization server, the authorization code response corresponding to the authorization code request is transmitted to the client, and wherein the client uses the parameter included in the authorization code response received by the receiving and a parameter included in the authorization code response transmitted by the transmitting to verify that the authorization code response corresponds to the authorization code request.
 2. The authority transfer system according to claim 1, wherein the signature information is added to the authorization code request by using an encryption key held by the client, and wherein the authorization server verifies the signature information added to the authorization code request by using a decryption key held by the authorization server.
 3. The authority transfer system according to claim 1, wherein the transmitting transmits from the client to the authorization server via a user agent an authorization code request for permitting by the authorization server an access to the resource server by the client, wherein the parameter is a state parameter, wherein the log-in context is information including at least one of a local user ID and an e-mail address of the local user and uniquely identifying the local user.
 4. The authority transfer system according to claim 1, wherein the log-in context set in a parameter received by the authorization server is included in approval information used for permitting an access to the resource server by the client.
 5. The authority transfer system according to claim 4, wherein the approval information at least includes a client ID identifying the client and a user ID identifying a user logging in the authorization server.
 6. The authority transfer system according to claim 5, wherein the client transmits to the authorization server signature information and a token request including the client ID and the user ID and being usable for obtaining an authorization token by the client, and wherein the authority transfer system further comprises an issuing the authorization token from the authorization server to the client after the authorization server having received the token request verifies the signature information received along with the token request by using an encryption key, and after the issuing determines that an access to the resource server by the client identified by the client ID included in the token request is authorized by the user identified by the user ID included in the token request.
 7. The authority transfer system according to claim 6, wherein the authorization token is a token indicating that the client is authorized to access the resource server.
 8. The authority transfer system according to claim 6, wherein the issuing issues the authorization token after the issuing determines that a flag indicating that the user has authorized an access to the resource server by the client is added to approval information identified by the client ID and user ID included in the token request.
 9. The authority transfer system according to claim 1, wherein the authorization code request to be transmitted by the transmitting includes signature information and response destination information designating a response destination to be used by the authorization server for returning the authorization code response, and wherein the authority transfer system further comprises, after the signature information is verified in the authorization server, transmitting by the authorization server an authorization code response to an authorization code request transmitted by the transmitting unit, based on the response destination information included in the authorization code request.
 10. A control method for an authority transfer system, the method comprising: transmitting from a client to an authorization server an authorization code request for issuing an authorization code by the authorization server when an access to a resource server by the client is permitted by a user; receiving an authorization code response from the authorization server to the client, the authorization code response being a response to the authorization code request; and generating a log-in context when the user logs in the client, wherein the authorization code request transmitted by the transmitting includes signature information and a parameter having the log-in context set as a value of the parameter for associating the authorization code request with the authorization code response, wherein, after the signature information is verified in the authorization server, the authorization code response corresponding to the authorization code request is transmitted to the client, and wherein the client uses the parameter included in the authorization code response received by the receiving and a parameter included in the authorization code response transmitted by the transmitting to verify that the authorization code response corresponds to the authorization code request.
 11. A client comprising: a transmitting unit configured to transmit from a client to an authorization server an authorization code request for issuing an authorization code by the authorization server when an access to a resource server by the client is permitted by a user; a receiving unit configured to receive an authorization code response, the authorization code response being a response to the authorization code request; and wherein the authorization code request transmitted by the transmitting unit includes signature information and a parameter having the log-in context set as a value of the parameter for associating the authorization code request with the authorization code response, wherein, after the signature information is verified in the authorization server, the client receives the authorization code response corresponding to the authorization code request from the authorization server, and wherein the client uses the parameter included in the authorization code response received by the receiving unit and a parameter included in the authorization code response transmitted by the transmitting unit to verify that the authorization code response corresponds to the authorization code request.
 12. The client according to claim 11, wherein the transmitting unit transmits from the client to the authorization server via a user agent an authorization code request for permitting by the authorization server an access to the resource server by the client, wherein the parameter is a state parameter, wherein the log-in context is information including at least one of a local user ID and an e-mail address of the local user and uniquely identifying the local user.
 13. The authority transfer system according to claim 1, wherein the generating unit generates a log-in context when the user logs in the client before an authorization flow for processing of authorizing the client to use an open web service provided by the resource server is started in accordance with permission by the user. 